CVE-2017-2598: Inadequate Encryption Strength

May 23, 2018 (updated October 9, 2019)

Jenkins uses AES ECB block cipher mode without an IV for encrypting secrets, which makes Jenkins and the stored secrets vulnerable to unnecessary risks.

References

www.securityfocus.com/bid/95948
bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2598
jenkins.io/security/advisory/2017-02-01/
nvd.nist.gov/vuln/detail/CVE-2017-2598

Code Behaviors & Features

Detect and mitigate CVE-2017-2598 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →